Search code examples
spring-authorization-server

When creating a OAuth2 client in Spring Authorization server do I need to specify {noop} in the secret?

I have 2 questions on the Spring Authorization Server OAuth2 client creation which are probably silly sounding ones.

Question 1:

In the examples in the Spring Authorization Server I saw "{noop}secret". What is that "{noop"} supposed to do as in the following code?

RegisteredClient.withId(UUID.randomUUID().toString())
                    .clientId(clientId)
                    .clientSecret("{noop}"+secret). //<-- this
                    .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                    .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                    .scope(OidcScopes.OPENID)
                    .scope(OidcScopes.PROFILE)

I didn't create any beans such as BCryptPasswordEncoder so sounds like I need to declare a bean of that type. Do I need to then encode the secret programmatically when saving the OAuth2 Client such as like this:

 .clientSecret(bcryptPassword.encode(secret)).  // like that?

Question 2: I created a OAuth2 client few months back and now I can't remember the secret anymore. When I look in the database it is in bcrypt form `"{bcrypt}$2a$..." which I don't know how it became that value. I believe it was in "{noop}mysecretvalue".

Thank you

Solution

  • Question 1:
    If you don't want to encode your password when you save it to the repository, you can do so by adding the prefix {noop} to your secret. When you do this, Spring will use the NoOpPasswordEncoder under the hood when it compares the password provided by the user with the one you have configured.

    If you are using a BCryptPasswordEncoder, you have to encode your password as you have already mentioned.

    Eg: clientSecret(bcryptPasswordEncoder.encode(secret))

    However, the NoOpPasswordEncoder is deprecated and Spring advices to use an adaptive one way encoding function like Bcrypt.

    Question 2:
    This is happening due to the UpgradeEncoding feature in the Spring Authorization server. When you declare a BCryptPasswordEncoder bean later on and if you previously had a {noop}secret saved in your repository, this feature interprets that as you have upgraded the password encoder and now you want to upgrade the secret. So it will upgrade your secret accordingly. If you still want to use secrets without encoding, you should specifically declare a NoOpPasswordEncoder bean. You can read more about this here.